



TORSION LIMITS AND RIEMANN-ROCH SYSTEMS FOR 
FUNCTION FIELDS AND APPLICATIONS 

IGNACIO CASCUDO, RONALD CRAMER, AND CHAOPING XING 

Abstract. The Ihara limit (or -constant) A(q) has been a central problem 
of study in the asymptotic theory of global function fields (or equivalently, 
algebraic curves over finite fields). It addresses global function fields with 
many rational points and, so far, most applications of this theory do not 
require additional properties. Motivated by recent applications, we require 
global function fields with the additional property that their zero class divi- 
sor groups contain at most a small number of rf-torsion points. We capture 
this by the torsion limit, a new asymptotic quantity for global function 
fields. It seems that it is even harder to determine values of this new quan- 
tity than the Ihara constant. Nevertheless, some non-trivial lower- and 
upper bounds are derived. Apart from this new asymptotic quantity and 
bounds on it, we also introduce Riemann-Roch systems of equations. It 
turns out that this type of equation system plays an important role in the 
study of several other problems in areas such as coding theory, arithmetic 
secret sharing and multiplication complexity of finite fields etc. Finally, we 
show how our new asymptotic quantity, our bounds on it and Riemann- 
Roch systems can be used to improve results in these areas. 



1. Introduction 

Since the discovery of algebraic geometry codes by Goppa [30] and other ap- 
plications such as low-discrepancy sequences [32] , the study of algebraic curves 
with many rational points over finite fields, or equivalently, global function 
fields with many rational places, has attracted many researchers from various 
areas such as pure mathematicians, coding theorists and algorithmically in- 
clined mathematicians. In the last two decades, there have been tremendous 
research activities in this topic. 

A crucial quantity, namely Ihara limit, in the asymptotic theory of global 
function fields with many rational places plays an important role in coding 
theory and other topics. Precisely speaking, for a given prime power q, the 



1 This is an extended version of our paper [14 in Proceedings of 31st Annual IACR 
CRYPTO, Santa Barbara, Ca., USA, 2011. A first version of this paper has been widely 
circulated since November 2009. 
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Ihara limit is defined by 

A, \ V N M 
A{q) : = hmsup — - , 

where N q (g) denotes the maximum number of rational points taken over all 
global function fields over ¥ q of genus g. 

The Drinfeld-Vladut bound states that A(q) < */g — 1. By Ihara [33J, 
A(q) = -Jq — 1 if q is a square. By Serre's Theorem [49J, A(q) > c ■ logq for 
some absolute real constant c > (for which the current best lower bound jH] 
is approximately <^). 

So far, most applications of global function fields do not require additional 
properties. Motivated by recent applications (arithmetic secret sharing, see 
below), we require global function fields with the additional property that 
their zero class divisor groups contain at most a small number of <i-torsion 
points. The exact same requirements are needed for multiplication complexity 
of extension fields over finite fields. Although the latter topic started much 
earlier, the role of the 2-torsion points in its zero class divisor group was 
overlooked [5T| ITj. 

Our main mathematical contribution of this paper is to introduce two new 
primitives for function fields over finite fields, namely the torsion limit and 
systems of Riemann-Roch equations. Our torsion limit, which we believe is of 
independent interest, can in general be upper bounded using Weil's classical 
theorem on torsion in Abelian varieties (and in many cases using the Weil- 
pairing). However, the resulting bound is far too pessimistic, as we present 
a tower for which our torsion limit is considerably smaller, yet it attains the 
Drinfeld-Vladut bound. 

A system of Riemann-Roch equations consists of simultaneous equations 
whose variables are divisors. Although Riemann-Roch systems have been im- 
plicitly studied in coding theory E21 E2J ED E21 ESI HI] such a concept 
has not been formally introduced. Moreover, we are interested in systems of a 
more general type than the ones considered in those papers, as we will explain. 
In several interesting cases, the existence of solutions will depend very much 
on the torsion in the class group. Hence, in the asymptotic case, where we 
consider Riemann-Roch systems in a tower of function fields, its solvability 
will depend on our new torsion limit. 

We give three applications in this paper that demonstrate the importance 
of such systems, in conjunction with our torsion limit and bounds on it. First, 
arithmetic secret sharing schemes are a special kind of codes arising in secure 
multi-party computation [211 EH]- Since then, the asymptotical results of [18] 
have had several important and surprising applications in two-party cryptogra- 
phy [351 ED ED EEl [22], El]- Using optimal towers of function fields, Chen and 
Cramer [18] showed the existence of "asymptotically good" families of such 
schemes. The results were improved and extended in [TBI [TBI . We show how 
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our torsion limits an Riemann-Roch equations allow to further improve those 
results. Second, we consider bounds in the context of extension field multipli- 
cation. Shparlinski, Tsfasman, and Vladut; [51] initiated study of asymptotics, 
finding upper bounds for the limits m q , M q defined in that paper. We start by 
noticing a gap in the proof of their main result: there is an implicit but un- 
justified assumption on the possibilities of positive Ihara limits in combination 
with the absence of non-trivial 2-torsion. The same gap exists in a more recent 
paper (2008) on the same subject by Ballet jT|. This results in that the upper 
bound stated for m q in those paper is not justified. On the other hand, Ran- 
driambololona recently proved in [UJ that the bound for m q in [5T] can indeed 
be attained in the case A(q) > 5. We examine the connection of this extension 
field multiplication problem to the solvability of a system of Riemann-Roch 
equations, and obtain bounds that significantly improve the state of the art for 
some small fields by incorporating our limit and corresponding tower. In addi- 
tion, we also show how to improve the state of the art [15] regarding the upper 
bounds for the other limit, M q over small finite fields ¥ g . Third, frameproof 
codes were introduced in the context of digital fingerprinting by Boneh and 
Shaw in [TTJ although a slighlty different definition, which we will be using, 
was proposed afterwards by Fiat and Tassa [23] , see also [TU] . The asymptotic 
properties of such codes has been studied in [151 HHl ED] - We show how to 
improve those bounds in some cases. 

This paper is organized as follows. Our main contributions are captured in 
Definition 12.21 (the torsion-limit), Theorem 12.31 (bounds for this limit), The- 
orem [3j2] (sufficient conditions for Riemann-Roch system solvability), Theo- 
rems HTT3J and HJ3] (claimed arithmetic secret sharing schemes), Theorems 15.91 
and 15. 181 (improvements on multiplication complexity of finite field extensions) 
and Theorem 16 . 1 6 ( improvement s on asymptotical constructions for frameproof 
codes). After giving some preliminaries in Section \2.1\ we introduce our tor- 
sion limit in Section 12.21 and show our bounds. In Section |3j we introduce 
Riemann-Roch systems of equations and show how these may be solved using 
the bounds from Section [2j In Section H] we discuss how to obtain the claimed 
arithmetic secret sharing schemes. In Section [5] we show how our torsion- 
limit and Riemann-Roch system can be applied to multiplication complexity 
of finite field extensions. Finally in Section [H] we show our application to the 
asymptotical study of frameproof codes. 

2. Torsion Limits 

2.1. Preliminaries. For convenience of the reader, we start with some defi- 
nitions and notations. 

For a prime power q, let ¥ q be a finite field of q elements. An algebraic 
function field over ¥ q in one variable is a field extension F D ¥ q such that F 
is a finite algebraic extension of ¥ q (x) for some x G F that is transcendental 
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over F q . It is assumed that F q is its full field of constants, i.e., the algebraic 
closure of F q in F is F q itself. 

The following notations will be used throughout the rest of the paper. 

• F/F q -a function field with full constant field F q ; 

• g(F)-the genus of F; 

• jV(F)-the number of rational places of F; 

• P(F)-the set of places of F (note that F(F) is an infinite set); 

• p( fc )(F)-the set of places of degree k of F (note that pW(F) is a finite 
set); 

• JVi(F)-the number of F^-rational places, i.e., iVj(F) = 
(note that N(F) = N^F)); 

• Div(F)-the divisor group of F; 

• Div°(F)-the divisor group of degree 0; 

• Prin(F)-the principal divisor group of F; 

• Cl(F)-the divisor class group Div(F)/Prin(F) of F; 

• C\ (F) = <J F -the zero divisor class group Div°(F)/Prin(F) of F (note 
that Clo(-F) is a finite group); 

• i7f[ r ] _ the group of r-torsion points in Jp. 

• h(F) = |Clo(i 71 )|-the zero divisor class number; 

• v4 r (F)-the set of effective divisors of degree r > (note that A r (F) is 
a finite set); 

• A r (F)-the cardinality of A r (F); 

• Cl r (F)-the set {[D] : deg(-D) = r}, where [D] stands for the divisor 
class containing D; 

• Cl+(F)-the set of {[D] : deg(D) =r,D> 0}. 

In case there is no confusion, we omit the function field F in some of the above 
notations. For instance, A r (F) is denoted by A r if it is clear in the context. 
For a divisor G of F, we define the Riemann-Roch space by 



Then C(G) is a finite dimensional space over F q and its dimension £(G) is 
determined by the Riemann-Roch theorem which gives 



where K is a canonical divisor of degree 2g(F) — 2. Therefore, we always have 
that £(G) > deg(G) + 1 - g(F) and the equality holds if deg(G) > 2g(G) - 1. 
The zeta function of F is defined by the following power series 



C(G) := {/ G F* : div(/) + G > 0} U {0}. 



£(G) = deg(G) + 1 - g(F) + £(K - G), 
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Then Weil showed that Zp(t) is in fact a rational function of the form 

Mt) = (i-w-tfy 

where Lp(t) is a polynomial of degree 2g(F) in Z[t], called L-polynomial of 
.F. Furthermore, Lf(0) = 1. If we factorize Lp(t) into a linear product 
n£ ( f } («^- 1) in C[t], then Weil showed that H = for all 1 < i < 2g(F). 
From the definition of zeta function, one obtains 



N m (F) =q m + l~J2 



i=l 



for all m > 1. This gives the Hasse-Weil bound 

N(F) = N 1 (F)<q + l + 2g(F) y /q. 

For applications to coding [MIES], low-discrepancy sequences jl3] and several 
problems in cryptography [12] , we are interested in function fields F with large 
number N(F) of rational points. In particular, we want to determine the values 
of the following quantity 

N q (g) =maxN(F), 

F 

where F ranges from all function fields of genus g over ¥ q . 

One can imagine that it is not easy at all to determine the exact value N q (g) 
for an arbitrary pair (q,g). The complete solution to this problem has been 
found only for g = 0,1,2 [49] . The reader may refer to [22] for a table on 
values of N q (g) for some small values of q and g. 

In order to study the asymptotic behavior of N q (g) when q is fixed and g 
tends to oo, we can define the following asymptotic quantity 

a, \ r N i(9) 
A{q) := hmsup — . 

#->oo g 

An upper bound on A(q) was given by Vladu^ and Drinfeld [5?] 

A(q)<y/q-l. 

For applications, we are more interested in finding lower bounds on this as- 
ymptotic quantity Ihara [33J first showed by using modular curves that 
A(q) > yfq — 1 for any square power q. This result determines the exact 
value A(q) for all square powers, i.e., 

(2.1) A{q) = y/q-l. 

On the other hand, no single value of A(q) is known if q is a non-square. 
However, some lower bounds have been obtained so far. For instance, by 
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using modular curves and explicit function fields, Zink [66], Bezerra-Garcia- 
Stichtenoth [§] and Bassa-Garcia-Stichtenoth [7] showed that 

(2.2) Atf) > 

Recently, Garcia-Stichtenoth-Bassa-Beelen [28] produced an explicit tower of 
function fields over finite fields F p 2m+i for any prime p and integer m > 1 and 
showed that this tower gives 

, m+ u ^ 2(p"+ 1 - 1) _ u , p-\ 



A(p 2m+L ) > '- with 



p+l + e p m - 1 

Serre made use of class field theory to show that there is an absolute positive 
constant c such that 

A(q) > c ■ log(g) 

for every prime power q. 

On the other direction, lower bounds on A(q) have already been obtained 
for small prime q such as q = 2,3,5,7,11,13,... etc. For instance, in [63] . 
Xing and Yeo showed that 

A(2) > 0.258. 

For a family F = {F/¥ q } of function fields with g(F) — > oo such that 
lim 9 (i?)_ !>00 N(F)/g(F) exists, one can define this limit to be the Ihara limit, 
denoted by A(F). It is clear that there exists a family S = {E/¥ q } of function 
fields such that g(E) — > oo and the Ihara limit A(E) is equal to A(q). 

Remark 2.1. In general, we can define the Ihara limit for any family F = 
{F/W q } of function fields with g(F) ->■ oo by limsup^pw^ N(F)/g(F). How- 
ever, for convenience of this paper, we define the Ihara limit only for those 
families {E/¥ q } whose limit lim g ( S )_ >00 N(E)/g(E) exists. 

2.2. Torsion Point Limits. Due to some recent applications to arithmetic 
secret sharing and multiplications in finite field extensions, we are interested 
in considering, in addition to the Ihara limit of a family of function fields, a 
limit for the number of torsion points of the zero divisor class groups of these 
function fields. 

Let F/¥ q be a function field. For a positive integer r bigger than 1, we 
denote by Jf[ t ] the r-torsion point group in J F , i.e., 

J F [r] :={[D]eJ F : r[D] = 0}. 

The cardinality of J"f[t] is denoted by Jp[r]. 

For each family F = {F/¥ q } of function fields with g(F) — > oo, we define 
the asymptotic limit 

J r {F) := liminf gq ^ . 

g(F) 
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We need to define an asymptotic notion involving both JriJ 7 ) and the Ihara 
limit A (J 7 ). 

Definition 2.2. For a prime power q, an integer r > 1 and a real a < A(q), 
let $ be the set of families {J 7 } of function fields over ¥ q such that the genus in 
each family tends to oo and the Ihara limit A (J 7 ) > a for every J 7 G Then 
the asymptotic quantity J r (q,a) is defined by 

J r (q,a) = liminf JJJ 7 ). 

Thus, for a given family, our limit J r {F) measures the r-torsion against the 
genus. The corresponding constant J r (q, a) measures, for a given Ihara limit a 
and for given r, the "least possible r-torsion." Note that A(q), Ihara's constant, 
is the supremum of A(F) taken over all asymptotically good J 7 over ¥ q . For 
some applications such as multiplication in extension fields in Subsection 4.2, 
one may be interested in function fields with many places of higher degree and 
small torsion limit. The above definition could be modified by replacing the 
Ihara limit by the limit of number of places of higher degree against genus. 

Now we are ready to state the main result of this section. 

Theorem 2.3. Let ¥ q be a finite field and let r > 1 be a prime. 

(i) Ifr | (q-l), thenJ r (q,A(q))<^- q . 

(ii) Ifr \ (q-l), thenJ r (q,A(q))<^- q . 

(hi) Ifq is square and r | q, then J r (q,y/q-l) < (Tyf+rjT^ ■ 

The first part of Theorem 12. 3[ as well as the second part when, additionally, 
r\q, is proved directly using a theorem of Weil [581 EH] on torsion in Abelian 
varieties. For any non-zero integer m, this theorem, which holds over alge- 
braically closed fields K, says that the m-torsion point group of the variety, 
A[m] is isomorphic to (Z/mZ) 2s if m is co-prime to the characteristic p of K; 
and A[p] is isomorphic to (Z/pZ) a for a non- negative integer a < g, where g 
is the dimension of A. See also |48j. Clearly, this implies upper bounds when 
the field is not algebraically closed. The second part, in the case r \ q and 
r \ (q — 1), can be proved by using the Weil pairing for abelian varieties and 
we will show it in subsection 2.4. The most interesting part, for the purposes 
of this paper, is the bound in the third part, which is substantially smaller (see 
Subsection 12.31 for the detailed proof). Note that this last bound applies to 
families which attain the Drinfeld-Vladu^ bound. 

By using a lifting idea, we are able to obtain an upper bound on the size of 
the retorsion point group of an abelian variety from its r-torsion point group, 
and hence we can derive the following result from Theorem 12.31 

Theorem 2.4. Let ¥ q be a finite field of characteristic p. 

(i) If m > 2 is an integer, then J m (q,A(q)) < \og q (dm), where d = 
gcd(m, q — 1). 
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(ii) Write m into p e m' for some i > and an positive integer ml co-prime 
to p. If q is a square, then J m (q, y/q - I) < \og q {p) + \og q {cm'), 
where c = gcd(m', q — 1). 

The proof of Theorem 12.41 will be completed in Subsection 12.51 
Like the Ihara- const ant A(q), it could be extremely difficult to determine the 
exact value of J T (q, a) for given a and q, and we would like to leave this as an 
open problem. Also, in the context of solving general Riemann-Roch systems 
(see Section 3) it makes sense to extend the definition of the limit above to the 
case of r-torsion for a finite set of positive integers r simultaneously. 

Another particular interesting case is q = 2. The following result gives a 
bound on the 2-torsion point limit for the family of function fields given in 

m- 

Theorem 2.5. The family T of function fields over F 2 with the Ihara 's limit 
97/376 given in [S3] has 2-torsion limit ^{J 7 ) at most 216/376. 

The proof of this theorem is given in Subsection 12.41 Note that the bound 
in Theorem 12.31 gives only ^{J 7 ) < 1. 

Finally, we show existence of certain function field families that is essential 
for our applications of Sections H] and [5j 

Theorem 2.6. For every q > 8 except perhaps for q = 11 or 13, there exists 
a family IF of function fields over ¥ q such that the Ihara limit A(J-) exists and 
it satisfies A(3F) > 1 + -hi^lF). 

Proof. We prove it by two steps. The first one is to prove that the result is 
true for all q > 17 by using class field theory. The second step is to show that 
the result holds for q = 8,9, 16 by looking at each individual q. 

For q > 17, we prove the result only for odd q. For even q, we can similarly 
get it by considering the Artin-Schreier extensions. Choose 7 nonzero square 
elements t\, . . . ,ty in ¥ q (this is possible since (q — l)/2 > 7). For each i, 
consider the extension Ki = ¥ q (x,yi), where yf = x + U. Then the place x is 
completely splitting in Let K be the field ¥ q (x,y), where y 2 = Yli=i( x + 
tj). Then K is a subfield of K\ ■ ■ ■ K 7 /¥ q (x) such that [K : F g (x)] = 2 and 
K\- • • Kj I K is an unramified abelian extension. The three places, oo and 
those lying above x, are completely splitting in K\ ■ ■ ■ Kj/K. Since the 2-rank 
of the Galois group of K± • ■ ■ Kj/K is 6 which is equal to 2 + 2^3 + 1, K has an 
infinite (2, S^-Hilbert class field tower IF, where S consists of the three places 
oo and those lying above x. This yields A(1F) > 3/(g(K) — 1) = 3/2 (see [19] 
or [HI Corollary 2.7.8]). Now we have 

A(F~) > 3/2 > 1 + 2/ log 2 (17) > 1 + 2/ log 2 q > 1 + J 2 (T). 
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For q = 8, by (12. ip we know that there exists a family F over F 8 such that 
A(F) > 3/2. Thus, 

A{T)> Z ->l+ l ->l + J 2 {T). 

For q = 9, by (12. 2p we know that there exists a family F over Fg such that 
A(F) = 2. Thus, 

A(F) = 2 > 1 + >l + J 2 (F). 
log 2 9 

For q = 16, by (12. 2 p we know that there exists a family F over F 16 such that 
A[F) = 3. Thus, 

A(F) = 3 > 1 + - > 1 + J 2 {F). 
This completes the proof. □ 

2.3. Proof of Theorems I2.3l (iii) and 12.51 We discussed with Alp Bassa 
(Sabanci) and Peter Beelen (DTU) about whether there exists a tower F of 
algebraic function fields over F q that attains the Drinfeld-Vladu^ bound and 
for which, at the same time, J r {F) is substantially smaller compared to what 
can be derived from Weil's theorem on torsion in Abelian varieties, especially 
when r = 2. The affirmative answer they contributed is given belowE 

Let F q be a finite field. Write p for its characteristic. For a function field 
F over F q , denote by j(F) the F p -dimension of J7f[p], i-e., log p (J^f\p))- Now, 
consider the constant field extension F = F ■ F q where F q denotes an algebraic 
closure of F q . Then the Hasse-Weil invariant ip of F is defined to be the 
Fp-dimension of J-p[p\. It is clear that Jf[p\ is an F p -subspace of J7^[p], and 
hence ip > j(F). 

In this subsection we assume q is an even power of p. Consider the tower F = 
(_p(o) q p(i) ' ") over F q introduced in [26J by Garcia and Stichtenoth, re- 
cursively defined by F^ = F q {x ) and F( n+1 ) = F^{x n+1 ), where x^x^^ 
x n+ \ = Xn- The following facts can be found in [2"B] : 

(1) The tower F attains the Drinfeld-Vladut; bound, i.e., its 
limit A(F) is given by 

A(F) := lim ). ' =y/q-l. 



(2) Every place P E P(F^ n is either unramified, i.e. for 
every place Q E P(F (n) ) such that Q\P we have e(Q\P) = 



1 They mentioned this result (without proof and referring to an earlier version of our 
paper) in [B], where they also examine the Hasse-Witt invariant in some other towers of 
function fields. 
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1, where e(Q\P) denotes the ramification index, or to- 
tally ramified, i.e. there exists a unique Q E P(F( n )) such 
that Q\P, and the ramification index e(Q\P) equals [F™ : 
= y/q. In the latter case, it always holds that 
degP = degQ. Moreover for every 
P(FW) such that Q\P we have 

d(Q\P) = (y/q + 2)(e{Q\P)-\), 

where d(Q\P) denotes the different exponent. 
(3) The genus g(F^) of the function field F^ is given by 



(n)> 



n+1 n n + 2 n 

I 2 + q2 — q 4 — 2qi + 1 if n = (mod 2), 

n + 1 n -| n + 3 o n+1 n — 1 . . 

j, 2 +g2 — 4 — |g 4 —(74 +1 if n = 1 (mod 2). 



In this subsection we will mainly show the following theorem: 
Theorem 2.7. JTie Hasse-Witt invariant of the function field F^ is given by 

i/n = (mod2) ; 



In particular 



( g («-l)/4 _ 1) (g(n+l)/4 _ X ) j/ n = 1 ( mo d 2) . 



lim inf J < lim 



Then Theorem I2.3( iii) is a direct corollary of the above theorem. 
We will use the following theorem. 

Theorem 2.8 (Deuring-Shafarevich (see e.g. [32J)). Let E/F be a Galois ex- 
tension of function fields over an algebraically closed field k of characteristic 
p. Suppose that the Galois group of the extension is a p-group. Then 

7 (E) - 1 = [E : F](j(F) - 1) + E ( e ^l P ) " ^ 

Q\P 

From this theorem, we can obtain the following corollary for function fields 
over finite fields. 

Corollary 2.9. Let E/F be a Galois extension of function fields over a finite 
field F q of characteristic p. Suppose that the Galois group of the extension is 
a p-group. Then 

i E -l=[E:F]{i F -l)+ E «Q\P)-l)degQ. 

PeP(F) QeP(-B) 
Q\p 
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Proof. Let E = E ■ ¥ q , F = F ■ ¥ q where ¥ q denotes an algebraic closure of 
W g . By elementary algebra arguments we can see that since E/F is Galois and 
both E and F have the same full constant field ¥ q , then E/F is also Galois 
and the Galois groups of both extensions are the same. 

We can therefore apply the Deuring-Shafarevich Theorem to E and F, 
thereby obtaining: 

1 (E)-1 = [E:F}( 1 (F)-1)+ ^( e (Q'|P')-l)- 

P'eP(F) Q'eP(P) 
Q'\P> 

Note that j(E) = i E , 7(F) = i F and \E : F] = [E : F], so all we are left to 
do is to analyse the last term. 

Given a place P G P(F) of degree k, and a place Q G P(F) of degree m 
such that Q|P, there are exactly k places P[ ) ... ) P' k G P(F) lying over P 
and m places Q'n • • • 5 Q'm e P(F) lying over Q. Each of the places Q'j lies 
above some P[. Moreover, all places of E lying above a place P[ G P(F) are 
among the Q^. It is well known that all places in F and E have degree 1. 
Given P' in {P{, . . . , P' k } and Q' in {<%,..., Q' m }, we have e(P'|P) = 1 and 
e(Q'IQ) = 1. Consequently if Q' lies above P', we deduce e{Q'\P') = e{Q\P) 
since e(Q'|P / )e(P'|P) = e{Q'\P) = e{Q'\Q)e{Q\P). 



Thus 



E E ( e (^'i p/ ) - !) = E E ( e ^i p ) - !) de ^- 



P'eP(P) Q'eP(P) PeP(F) QeP(P) 

Q'|P' QIP 



□ 



Proof of Theorem 2.1\ Fix some n > 1 and for the sake of notation let E := 
F^ n \ F := P^" 1 ). Consider the extension E/F. This is an Artin-Schreier 
extension, hence its Galois-group is a p-group. By the theorem of Riemann- 
Hurwitz (see e.g. [52] and Fact 12.31 12]). 



(2.3) 2-g(E)-2 = v ^-(2^(P)-2) + ( v ^+2)- E E (e(Q\P)-l)de S Q. 
By Corollary EH 



PeP(P) QeP(P) 
Q\P 



(2.4) i B -l = V?.(i F -l)+ E E (e(Q\P)-l)degQ. 

PeP(P) QeP(P) 
0|P 

Combining equations (12.31) and f)2.4p . we find 
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r • , 2-g(E)-2^q-g(F)-^q 2 + y /q 

* = ^-* + ~^r 2 

This, of course, holds for any n > 1, E :— F", F := F*" --1 ). Using the fact 
that i F (o) = and applying induction, the result follows. □ 

We can use the same kind of argument applied to a different tower to prove 
Theorem 12.51 

Proof of Theorem \2.3c In [63] , Xing and Yeo gave an example of a tower T = 
(F ; Fi,...) of functions fields over F 2 with the Ihara limit 97/376 = 0.257979 . . . 
(by a tower, we mean that Fi C .F i+1 for all i > 0). Using cyclotomic function 
fields, they constructed a function field F = F over F 2 of genus 377, which 
admits an infinite (2; S^-Hilbert class field tower for a set S C of places 
of F, such that S' = F F \ S consists of 97 rational places of F. At each step 
F i+ i/Fi, it is unramified. Hence, to compute the Hasse-Weil invariant of F iy it 
is sufficient to compute the Hasse-Weil invariant of Fq by using the formula of 
Deur ing- S haf arevich . 

To do so, we briefly recall the construction of the function field F. For more 
details, the reader may refer to [63]. Let k = F^a?) be the rational function 
field over F 2 . Let M — (x 4 + x 3 + x 2 + x + l) 2 G ¥ 2 [x] and let N := x 4 . 
Denote by ku (resp. fcjy) the cyclotomic function field over k with modulus M 
(resp. modulus N). Let K be the subfield of k M fixed by the cyclic subgroup 
< x > of Gal(kM/k) = (F 2 [x]/M)* and let L be the subfield of k^ that is fixed 
by the cyclic subgroup < (x + l) 2 > of Ga\(k N /k) = (¥ 2 [x]/N)*. We have 
[K : k] = 24 and [L : k] = 4. Define F := KL, the composite of the fields 
K and L. The only ramified place in K/k is the place corresponding to the 
irreducible polynomial x 4 + x 3 + x 2 + x + 1. It is totally ramified with different 
exponent 44. In the extension L/k the only ramified place is the zero of x. It 
is totally ramified with different exponent 10. 

From the ramification in K/k and L/k, it follows that K and L are linearly 
disjoint over k. We have [F : k] = 2 5 x 3. The fixed field of the 2-Sylow 
subgroup of Gal(F/k) is generated over k by an element w, whose irreducible 
polynomial over k is given by 

T 3 + (x 4 + x 3 + x 2 + x + 1)T 2 + (x 5 + 1)T + (x 4 + x 3 + x 2 + x + 1) G k[T\. 

Let F' = k(w). We have k C F' C K. The only ramified place in F'/k is the 
place corresponding to the irreducible polynomial x 4 + x 3 + x 2 + x + 1. It is 
tamely ramified with ramification index 3. Hence the genus of F' is 2. Next 
by computing the Hasse-Witt invariant of F we know that in the degree 32 
extension F/F' the only ramified places are the places lying over the places of 
k associated to the irreducible polynomials x and x 4 + x 3 + x 2 + x + 1. The 
corresponding ramification indices are 4 and 8, respectively. So we have 
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i F -l = 32(2 -1)+4x4x(8-1) + 3x8x(4-1) = 216. 
For the (2; 5)-Hilbert class field tower of F — Fq, we hence have 
g(F n ) -l = [F n : F )(g(F ) - 1) = 376[F n : F ] 

and 

i Fn -l = [F n : F ]( iFo - 1) = 216[F n : F ). 

Therefore, 

lim = tt^t = 0.574468 .... 

n^oo g(F n ) 376 



□ 



2.4. Proof of Theorem 12. 3( ii). For an abelian variety A defined over a field 
k and a positive integer m, the m-torsion point group, denoted by A[m], is 
defined to be the set of the points over the algebraic closure k annihilated by 
m. As we remarked below Theorem 12.3} A[m] is isomorphic to (Z/mZ,) 29 if m 
is co-prime to the characteristic p of k; and A[p] is isomorphic to (Z/pZ) a for 
a non-negative integer a < g, where g is the dimension of A. We denote by 
A(k) the set of fc-rational points of A. Thus, the set of m-torsion fc-rational 
points is A(&)[m] = A(k) fl A[m]. 

If m is co-prime with the characteristic of k, then we can define the Weil 
pairing to be a map e m from A[m] x A[m] to G m , where A denotes the dual 
abelian variety of A and G m ~ Z/mZ is the group of m-th roots of unity in k. 
The Weil paring e m has some properties such as being bilinear, non-degenerate, 
commuting with the Galois action of Gal(k/k) (see [ID]), etc. More precisely, 
we have 

(i) e m (S 1 +S 2 ,T) = e m (S 1 ,T)e m (S 2 ,T); e m (S,T 1 +T 2 ) = e m (S,T 1 )e m (S,T 2 ) 

(ii) If e m (S, T) = 1 for all S G A[m], then T = 0; 

(iii) e m {S a ,T' 7 ) = e m {3,T)° for all a e G&L{k/k). 

If there is a polarization A from A to A, we get a pairing: from A[m] x A[m] 
to G m defined by 

ei(P,Q) = e m (P,HQ))- 
From now on, we assume that A is a Jacobian over fc. Then there is a principal 
polarization A from from A to A which is an isomorphism. In this case, we 
denote by w m , i.e., w m is a pairing from A[m] x A[m] to G m . It is clear that 
w m satisfies all three properties above as well. From the bilinear property, we 
have w m (tP,Q) = w m (P,QY and w m (P,tQ) = w m (P,QY for any t > and 
P,QeA[m\. 

To derive an upper bound on the size of r-torsion points, we need the fol- 
lowing result which can be derived easily by using linear algebra. 

Lemma 2.10. For a prime r, consider an ¥ r -vector space W of dimension n 
and a non- degenerate bilinear map e from W x W to ¥ r , i.e., 
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(i) e(x + z, y) = e(x, y) + e(z, y), e(x, y + z) = e(x, y) + e(x, z); 

(ii) I/e(x, u) = for all X e W , then u = 0. 

If V is an ¥ r -subspace of W such that e(x, y) = for all x, y 6 V, then 
dim Fr V <n/2. 

The proof of the above Lemma is quite straightforward. Note that if e is 
the Euclidean inner product, then V is self-orthogonal and hence this is a 
well-known fact. 

Applying Lemma 12.101 to the Weil paring w r , we immediately obtain the 
following result. 

Corollary 2.11. IfV is an ¥ r -subspace of A[r] such that w r (P,Q) = 1 for all 
P,Q eV, then dim ¥r (V) <g. 

Proof. Let ( be a rth primitive root of unity and consider the bilinear map 
(P, Q) i— > a G Z/rZ, where a satisfies ( a = w r (P, Q). The desired result follows 
from Lemma [2. 101 □ 

Proposition 2.12. Let k = ¥ q and assume that a prime r does not divide 
q — 1. If A is a Jacobian variety over k, then dim.f r (A(k)[r}) < g. 

Proof. If r is the characteristic of k, then it is trivial. Now assume that r is 
not the characteristic of k. It is easy to verify that A(/c)[r] is an F r -subspace 
of A[r}. For any a in the Galois group Ga\(k/k), one has 

w r {P, Q) = w r {P% Q CT ) = w r (P, QY. 

This implies that w r (P, Q) is an element of k. However, the only r-th root of 
unity in k is 1. We get w r (P, Q) = 1 for all P,Q G A(fc)[r]. Our desired result 
follows from Corollary 12.111 □ 

Proof of Theorem \2. 3\( ii) : Part 2 of Theorem 12.31 is an immediate result of 
Proposition 12121 □ 

2.5. Proof of Theorem 12.41 We can now lift our results from A(A;)[r] to 
A{k)[r t \. 

Lemma 2.13. Let k = ¥ q and let r be a prime. If A is an Abelian variety 
over k with \A(k)[r} \ < a, then |A(fc)[r*]| < a 1 for every t > 1. 

Proof. We prove it by induction. The case t = 1 is the given condition. Now 
assume that it is true for t — 1. Consider the map 

[r] k : A(k)[r*] -> A(k)[r t ^ 1 ]; P ^ rP. 

It is clear that the kernel of [r]^ is A(fc)[r]. Thus, one has 

\A(k)[i*]\ = \ker([r] k )\ x \Im([r] k )\ <ax a*" 1 = a 1 . 

The desired result follows. □ 
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Proposition 2.14. Let k = ¥ q and assume that a prime r does not divide 
q-1. 

(1) If A is a Jacobian variety over k, then |v4.(A;) [r*] | < r gt for every t > 1. 

(2) If m > 2 is an integer, then \A(k)[m]\ < (dm) 9 , where d = gcd(m, q — 

I)- 

Proof. Part 1 is the direct result of Proposition 12.121 and Lemma 12.131 

To prove Part 2, we factorize m into the product H P P Sp x °f P r i m e 

powers, where d = Yl p P Sp * s a factor of q — 1 and Yle. ^ 1 = m/d. By Part 1 
and the following isomorphism 



A(k)[m] ~ IjA(Jfe)[p a *] x JjA(Jfe)[P 



1 1 ^ rv j \P ^ ' 

p e ' 

we have 



\A(k) [m]| = | JJ A(ife) [p Sp ] | x Y[ \A(k) [t l ] | < d 29 x (m/rf) 9 = (dm) 9 . 

□ 



Proof of Theorem Theorem 12.41 is a consequence of Theorem 12.71 in Sub- 



section 12.41 Lemma 12.131 and Proposition 12.141 □ 

3. RlEMANN-ROCH SYSTEMS OF EQUATIONS 

Let F q be a finite field and let F be an algebraic function field over ¥ q . 

Definition 3.1. Let s G Z >0 and let Y { G C1(F), rm G Z\ {0} for % = 1, . . . , s. 

The Riemann-Roch system of equations in the indeterminate X is the system 
{£(rriiX +Yi) = 0}f =1 determined by these data. A solution is some [G] G Cl(F) 
which satisfies all equations when substituted for X. 

While Riemann-Roch systems have been (implicitely) used before in the 
construction of codes with good asymptotic properties, for instance in [561 G23 
|62| [61] 1651 EH ST], they were of a less general type. Namely, = ±1 for all i. 
As we shall see soon, dealing with the more general case where rrii ^ ±1 leads 
us to consider m^-torsion in the class group. 

One observation about the systems is that A is a solution of the equation 
£(mjA + Yi) = as long as deg(mjA + Fj) < since we have £(mjA +YA = in 
this case. This suggests that, if we want to prove the existence of solutions of 
certain fixed degree, we should only consider those equations £(rrii A + YJ) = 
in the Riemann-Roch system with deg(mjA + YA > 0. 

The following theorem shows that a solution of degree d exists if a certain 
numerical condition is satisfied that involves the class number, the number A ri 
of effective divisors of degree r« and the cardinality of the m^-torsion subgroups 
of the degree-zero divisor class group, where the m 8 are determined by the 
system and the are determined by d and the m,. 
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Theorem 3.2. Consider the Riemann-Roch system of equations 

{l(m l X + Y i ) = 0} s l=1 . 

Let di = degYi for i = 1, . . . , s. Write h := h(F) the class number. Denote by 
A r the number of effective divisors of degree r in Div(F) for r > 0, and for 
r < 0. Let d £ Z and define = rriid + d{ for i = 1, . . . , s. If 

s 

h>J2 A n- \Mm}\, 

i=l 

then the Riemann-Roch system has a solution [G] G Cl d (¥). 

Proof. Let S be the set {1 < % < s : rj > 0}. For each % G S, argue in the 
following way. Define the maps 

fa : Cl d (F) -+ Cl mid (F), X^m t X 

and 

^:Cl m!d (F)^Cl n (F), X'^X' + Y,. 

Then ipi is an injection and each image under has exactly | i7jr[m j]| pre- 
images. Write Cj = ipi o 0j. Then, for any element Z G CL^(F), |cr i _1 (Z)| < 
IJfKH. Hence, ^(Cl^F))! < A n • |JfK]|. Thus, 

lU^ rl (Ci r t(F))|<^A,-|^K]|. 

ies its 

Since 

s 

\C\ d (F)\ =h>J2 A n- \M™i\\ =X)^i • I^Kll' 

i=l ieS 

there is an element [G] G CLj(F) \ |J i6S ^(Cl^F)). Since ^([G]) G CL,(F) 
but <7i([G]) £■ C1+(F), it follows that = for j 6 S, i.e., [G] is a 

solution of the system {£(rriiX + + Tj) = 0}j £ 5. From an observation before 
this theorem, we know that [G] is also a solution of {£(rriiX + Yj) = 0}^, and 
thus the desired result follows. □ 

Remark 3.3. ("Solving by taking any divisor X of large enough degree") 

(i) If 7*j < for all % = 1, . . . , s, then the inequality in Theorem 13.21 is 
automatically satisfied and hence the Riemann-Roch system always 
has a solution. 

(ii) In many scenarios in algebraic geometry codes, one can simply argue 
for a solution of the Riemann-Roch system by assuming that < for 
all i — 1, . . . , s. 

(iii) For instance, in [18], it was also simply assumed r, < to obtain 
strongly multiplicative linear secret sharing schemes. But this does not 
always give the best results. In particular, in Section HI we will show 
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how we can employ Theorem 13.21 to get improvements, especially for 
small finite fields. 

It will often be more convenient to write systems as defined over Div(F) 
rather than Cl(F). 

The condition in Theorem 13.21 involves the number of positive divisors of 
certain degrees and the class number. The following bound will be useful in 
the applications. The proof is based on careful manipulations with the zeta- 
f unction of F. 

Proposition 3.4. Let F be an algebraic function field over ¥ q . Write g for 
the genus g{F) and h for the class number h(F). For r e Z>o, write A r for 
the number of effective divisors of degree r in Div(¥). Suppose g > 1. Then, 
for any integer r with < r < g — 1, 



Proof. For i > 2g — 1 the value of Aj, is known as a function of g, g, h, i 
(see Lemma 5.1.4 and Corollary 5.1.11 in [52j). This has been exploited in 
Lemma 3 (ii) from [43J, to show that 



by manipulations of power series, where L(t) is the L-polynomial in the zeta 
function of F. 

The claim will be derived from a relation that is obtained by taking the limit 
as t tends to 1/q on both sides of the equation above, where l'Hopital's Rule 
is applied on the RHS, then finding an expression for L'(l/q) (the "left-over 
term"), and substituting that back in. 

Taking this limit, 



and applying rHopital's rule ((/(t))'| i=a denotes the derivative of / evaluated 
at t = a), it follows that 



— < ~ 

h q 



9 





(L(t) - ht°y\ t=1/g L\l/q) - gh/qi-i _ gh - q^L'il/q) 
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and hence, 

29 



qt - Ui 



Evaluation of L(l/q) is straightforward by combining the Functional Equation 
for L-polynomials and the fact that L(l) = h (see [52]). Namely, 



Therefore, 



1 \ 1 2 9 

1 \ /l \ -v —UJi 



9/ <? y 77 9- w< 

2 = 1 



Substituting the expression for L'(l/q) back in, it follows that 

Note that, trivially, by writing it appropriately as a fraction of the other 
expressions in the equation, the expression between brackets on the right- 
most side must be a positive number. Using this and the fact \ui\ = y/q for 
i = 1, . . . , 2g, it holds, for < r < g — 1, that 

a 9-2 . 9-1 Ah 2g 
A r \ /i{ \ /ij fl \ 

~ — 7= + Z-> „9-l ~~ nfl-lC/7 — fi ' 5 Z^ 

i=0 ^ 1=0 * 




-Hff-i) Vv^-v ^- x -(v^-i) 2 ' 

and the claimed result follows. □ 

4. Application 1: Arithmetic Secret Sharing 

Our first application concerns the asymptotic study of arithmetic secret 
sharing schemes, which was first considered in [2U HB] in the context of se- 
cure multi-party computation. Since then, the asymptotical results from [18] 
have had important and surprising applications in two-party cryptography as 
well [351 E3 EU [361 1221 E2]. For a more detailed discussion of the motivation, 
results and applications, please refer to [H]. We first define arithmetic secret 
sharing schemes and then show how our torsion limits help to improve prior 
results significantly. 

Let k,n be integers with k,n > 1. Consider the F q - vector space F^ x F™, 
where F„ is an arbitrary finite field. 
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Definition 4.1. The W q - vector space morphism 

tto : Fj x F^ -> Fj 

is defined by the projection 

(«!,..., Sfc, Ci, ... , C n ) I— >■ (fii, . . . , Sfe). 

For each i G {1, . . . , n}, the F g - vector space morphism 

vr, : Fj x F™ -> F, 

is defined by the projection 

(si, . . . , Sfe, Ci, . . . , c n ) i ^ Cj. 

For 0^Ac{l,...,n}, the F 9 - vector space morphism 

tta : Fj x F£ -)• F g A| 

is defined by the projection 

(si, . . . , Sfc, Ci, . . . , C n ) I ^ (Cj)igA- 

For v G F^ x F^, it is sometimes convenient to denote 7r (v) G F^ by v and 

7Ta(v) G Fg A ' by va- We write X* = {1, . . . , n}. It is also sometimes convenient 
to refer to v as the secret- component of v and to Vx* as its shares-component. 

Definition 4.2. An n-code for F^ (over ¥ q ) is an F 9 -vector space CcFjxFJ 
such that 

(i) Tro(C) = ¥ k q 

(ii) (Ker vr x ») n C C (Ker tt ) n C. 

For c G C, c G F^ is the secret and Cj» G F^ the shares. 

The first condition means that, in C, the secret can take any value in F^. 
More precisely, for a uniformly random vector c G C, the secret Co is uniformly 
random in F g . This follows from the fact that the projection (7r )|c is regular 
(since it is a surjective ¥ q - vector space morphism). 

The second condition means that the shares uniquely determine the secret. 
Indeed, the shares do not always determine the secret uniquely if and only 
if there are c, c' G C such that their shares coincide but not their secrets. 
Therefore, by linearity, the shares determine the secret uniquely if and only 
if the shares being zero implies the secret being zero. Moreover these two 
conditions imply that k < n. 

Note that an n-code with the stronger condition (Ker ttx*) H C = (Ker 7r ) fl C 
is a A;-dimensional error correcting code of length n. 

Definition 4.3 (r-reconstructing). An n-code C for F^ is r -reconstructing 
(1 < r < n) if 

(Ker tc a ) H C C (Ker tt ) n C 
for each A C 1* with \A\ = r. 
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In other words, r-reconstructing means that any r shares uniquely determine 
the secret. Note that an n-code is n- reconstructing by definition. 

Definition 4.4 (t-Disconnected). An n-code C for F^ is t-dis connected if t = 
or else if 1 < t < n, the projection 

7T ,A : C — ► Fj X 7T A (C) 

c H> (7r (c),7r A (c)) 
is surjective for each A G I* with \A\ = t. 
If, additionally, 7Ta{C) = ¥ t , we say C is t-uniform. 

If t > 0, then t-disconnectedness means the following. Let A C X* with 
|A| = i. Then, for uniformly randomly c 6 C, the secret c is independently 
distributed from the t shares ca- Indeed, for the same reason that the secret Co 
is uniformly random in F£, it holds that (c , c^) is uniformly random in F^ x 
7Ta(C). Since the uniform distribution on the Cartesian-product of two finite 
sets corresponds to the uniform distribution on one set, and independently, the 
uniform distribution on the other, the claim follows. Uniformity means that, 
in addition, Ca is uniformly random in F*. 

Definition 4.5 (Powers of an n-Code). Let m G Z>o- For x, x' G F™, their 
product x * x' G F™ is defined 

Let d be a positive integer. If C is an n-code for F£, then C* d C Fj x FJ is 
the F 9 -linear subspace generated by all terms of the form c^ 1 ) * ... * with 
. . . , c (d ) G C. For d = 2, we use the abbreviation C := C* 2 . 

Remark 4.6 (Powering Need Not Preserve n-Code). Suppose C C Fj x is 
an n-code for ¥g. It follows immediately that the secret- component in C* d takes 
any value in Fj:. However, the shares-component in C* d need not determine 
the secret- component uniquely. Thus, C* d need not be an n-code for F^. 

Definition 4.7 (Arithmetic secret sharing scheme). An (n,t,d,r)-arithmetic 
secret sharing scheme for F^ (over ¥ q ) is an n-code C for F^ such that 

(i) t > 1, d > 2 

(ii) C is t-disconnected, 

(iii) C* d is in fact an n-code for F^ and 

(iv) C* d is r-reconstructing. 

C has uniformity if, in addition, it is t-uniform. 

For example, the case k = 1, d = 2, n = 3t+l, r = n—t, q > n obtained from 
Shamir's secret sharing scheme |50j (taking into account that degrees sum up 
when taking products of polynomials) corresponds to the secret sharing scheme 
used in [HI [12]. The properties are easily proved using Lagrange's Interpolation 
Theorem. The generalization to k > 1 of this Shamir-based approach is due 
to [23|. The abstract notion is due to [21] . where also constructions for d = 2 
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were given based on general linear secret sharing. See also [TBI [EJ [16] . On the 
other hand the following limitations are easy to establish. 

Proposition 4.8. Let C be an (n,t,d,r)- arithmetic secret sharing scheme for 
over ¥ q . As a linear secret sharing scheme for ¥^ over ¥ q , C has t-privacy 
and (r — (d — l)t) -reconstruction. Hence, dt + k < r. Particularly, if k = 1, 
d = 2, r = n — t, then 3t + 1 < n. 

We are now ready to state the asymptotical results from [18] in full general- 
ity]] Let F/F q be an algebraic function field (in one variable, with ¥ q as field of 
constants). Let g denote the genus of F . Let k,t,n G Z with n> 1, 1 <t <n, 
1 < k < n. Suppose Q x , . . . , Q k , P 1} . . . , P n G P«(F) are pairwise distinct ¥ q - 
rational places. Write Q = £j =1 Qj e Div(F) and D = Q+J2?=i p i e Div(F). 
Let G G Div(F) be such that supp D fl supp G = 0, i.e, they have disjoint 
support. Consider the AG-code 

C(G; D) = {(/(QO, ■ ■ ■ , f{Qk), f(Pi), f(Pn)) 1/ e C Fj x F" 

Theorem 4.9. ^/rom [IB] Lett>l,d> 2. Lei C = C(G; D) with deg G > 
2g+t+k—l. Ifn > 2dg + (d+l)t-\-dk — d, then C is an (n, t, d, n—t)- arithmetic 
sharing scheme for F^ over ¥ q with uniformity. 

Theorem 4.10. (from [18] ). Fix d > 2 and a finite field ¥ g . Suppose 
A(q) > 2d, where A(q) is Ihara's constant. Then there is an infinite family 
of (n, t,d,n — t) -arithmetic secret sharing schemes for ¥^ over ¥ q with unifor- 
mity such that n is unbounded, k = Q(n) and t = Q(n). Moreover, for every 
scheme C in the family, a generator for C is poly(n)-time computable and C* 1 
has poly(n) -time reconstruction of a secret in the presence oft faulty shares 
(i = l,...,d-l). 

Since A{q) = yfq — 1 if q is a square, it holds that A(q) > 2d if q is a square 
with q > (2d + l) 2 . Also, since by Serre's Theorem, A(q) > clogg for some 
absolute constant c > 0, it also holds that A(q) > 2d if q is (very) large. We 
will now apply our results on the torsion-limit in combination with appropriate 
Riemann-Roch systems in order to relax the condition A(q) > 2d considerably. 
As a result, we attain the result of [18] but this time over nearly all finite fields. 

Theorem 4.11. Lett>l,d> 2. Define 1* = {1, . . . , n}. For A C X* with 
A ^ 0, define P A = J2jeA P j G Div(F). Let K G Div(F) be a canonical 
divisor. If the system 

{£(dX -D + P A + Q) = 0, £(K-X + P A + Q) = 0} AcX ^ lAl=t 

is solvable, then there is a solution G G Div(F) such that C(G;D) is an 
(n, t, d, n—t) -arithmetic secret sharing scheme for ¥ q over¥ q (with uniformity). 



In fact, we state a version that is proved by exactly the same arguments as in [18] . 
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Proof. First note that if the system is solvable, then the Weak Approxima- 
tion Theorem guarantees that we can take a solution G G Div(-F) such that 
supp Gflsupp D = 0. We claim that the condition that £{K — G + Pa + Q) = 
for A C X* with \A\ = t implies t-disconnection and uniformity on the code. 
Write A = {ii, . . . , i t }. Consider the map 

: C(G) ->• ¥ k q +t 

given by 

f^(f(Q 1 ),...,f(Q k ),f(P n ),...,f(P n )). 
Its kernel is C{G — Q — Pa)- Consequently 

dim(Im 0) = £(G)-£(G-Q-P A ) = £(K-G)-£(K-G+Q+P A )+deg(Q+P A ), 

where the second equality follows by application of the Riemann-Roch theorem 
to G and to G — Q — Pa- Hence, 

£{K -G)<£{K-G + Q + P A ) = 0, 

where the inequality follows from the fact that Q,Pa > and where the 
equality holds by assumption. Therefore, £(K — G) = and dim(Im 0) = 
deg(Q + Pa) — k + t. We conclude that is surjective and this proves the 
claim. Finally we prove (n — ^-reconstruction in C* d . Let B = {ii, . . . ,i n -t} 
for distinct indices z 1; . . . , z n _ t G X*. Since /i, . . . , fa G C(G) implies Yli=i fi e 
C(dG), it is sufficient to prove that, for all / G C(dG), the following holds: 
if the condition f(Pi) = holds for all i G B, then f{Qj) = for all j G 
{1, . . . , k}. Since Pb = D — Q — Pa for some Ad* with \A\ = t, it holds 
that 

C(dG - P B ) = C(dG -D + Pa + Q), 

which by assumption has dimension 0. Hence, since / G C(dG — Pb) = {0}, 
we have / = 0. □ 

And now as a corollary of Theorems 13.21 and 14.111 we get the following: 

Corollary 4.12. Let F/¥ q be an algebraic function field. Let d,k,t,n G Z 
with d > 2, n > 1 and 1 < t < n. Suppose Qi, . . . , Qk, P\, - - - ,P n G P (1) (F) 
are pairwise distinct. If there is s G Z such that 

h> (fj(A ri +A r2 \J F [d}\) 

where r± := 2g — s + t + k — 2 and r<i := ds — n + t, then there exists an 
(n, t,d,n — t) -arithmetic secret sharing scheme for ¥ k over ¥ q with uniformity. 

Theorem 4.13. Let ¥ q be a finite field and d G Z>2. If there exists < A < 
A(q) such that A > 1 + Jd(q, A), then there is an infinite family of (n, t, d, n—t)- 
arithmetic secret sharing schemes for ¥ k over ¥ q with t-uniformity where n is 
unbounded, k = fl(n) and t = Q(n). 
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This will follow from the more precise statement in Theorem 14.151 below. 
Combining Main Theorem 14.131 with Theorem 12.51 we obtain, in the special 
case d = 2: 

Theorem 4.14. For q = 8,9 and for all prime powers q > 16 there is an 
infinite family of (n, t, 2, n — t)- arithmetic secret sharing schemes for F q over 
F q with t-uniformity where n is unbounded, k = Q(n) and t = Q(n). 

More precisely, we have the following result (for d > 2 there is a similar 
analysis) . 

Theorem 4.15. Let F q be a finite field. Suppose k G [0, |) and r £ (0, 1] and 
< A < A(q) are real number such that 



and 



A > 1±£(1 + J 2 {q, A)) 



T + < — 1 — 6K 



logg 3 \ A 

Then there is an infinite family of (n,t,2,n — t) - arithmetic secret sharing 
schemes for F^ over F q with uniformity where n is unbounded, k = \_nn\ + 1 
and t = \rn\ . 

The proof of this fact relies on showing that the conditions in Corollary 14. 121 
are satisfied asymptotically for a family of function field with Ihara's limit A, if 
the requirements of Theorem 14.151 are met. It is easy to show why Theorem l4.15l 
implies Main Theorem OH if < A < A(q) is such that A > 1 + J 2 (q,A) 
we can always select k G (0, |) and r £ (0, 1] satisfying the conditions in 
Theorem 14.151 Note that in order to obtain the result in Main Theorem 14.141 
we require k > 0. 

We prove Theorem 14.151 formally below, but give here an an indication of 
how one would bound asymptotically each parameter in the inequality of Corol- 
lary [4J2J Of course |J7f[2]| is dealt with asymptotically with the torsion limit 
J 2 (q, A) which we have introduced in this paper. Stirling's Formula gives an 
asymptotical bound for the binomial coefficients m. Finally the quotients 
A r /h can be bounded by means of Proposition 13.41 

Proof of Theorem \4-15[ ■ Fix any A, k, t satisfying the conditions of the state- 
ment. Let T = {-F m } m >o be an infinite family of algebraic function fields over 
F q with g(F m ) oo such that A(F) > A and J := J 2 {T) = J 2 (q,A). Define 
9m = 9{F m ), h m = h(F m ), 3m = log q (\J(F m )[2}\). Let n m = [j^(N(F m ) — 1)J 
and k m = [Kn m \ + 1. Note n m + k m < jV^F*™)) so we can pick n m + k m dis- 
tinct rational points in F m . We set t m = [rn m \ . We choose d m = [Sg m \ where 
5 = 1 + A ~3~ J . Define (ri) TO = 2g m -d m +t m +k m -2 and (r 2 ) m = 2 d m -n m +t m . 
For m large enough we want to verify that we can apply Corollary 14 .121 to F m . 
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We already noted we can take n m + k m distinct points in pW(F m ) so we now 
need to verify the condition 

h m > (y\A {ri)m +A (r2)m \J Fm [2}\). 

We will use Proposition 13.41 It is easy to see that < (r{) m , (r 2 ) m < g m for 
large enough m for our selection of the parameters. Thus, 

^4 < 9mhm 

[n)m — gg m -(ri) m -l( fq — 1)2 

for large enough m and i — 1, 2. Consequently it is sufficient to show that 

( nm \ 9mqtm f (ri)m-*m i a (r 2 )m-t m \ J ft]]) < 1 

which is equivalent, taking logarithms, to 
(4.1) 

k ( n t f) +iog « L-hS-v 2 ) +logq {qiriU ' tm + q{T2)m ~ tm \ jF ^ < °- 

Take e G M>o such that 

# 2 (r) 1 / (1 + J)(l + «) 

r + < - 1 - 3k — 3e 

logg 3 \ 3 A 

which exists by hypothesis. For large enough m, by definition of J, 

3m <{J + £)9m- 

Moreover by definition of A we have 

(A — €)g m < n m + k m < Ag m 
for large enough m. Note that this implies 

1 , A 1 A 

-{A - e)g m < n m < — — Ag ri 



+ K 1 + K 

and 

K 

k m — z — ; — Ag m + 1. 
1 + K 

We have the following observations: First, since t m < rn m , from Stirling's 
Formula we obtain (™ m ) < 2 H2 ^ nm , and hence 

(n m \ H 2 (t) H 2 {t) 

log 5 J < -j n m < — — Ag rn . 

\t m J logg (1 + k) logg 

Second, we have 

log g {q^-t™ + \J(p m )[2]\qM m - tm ) < 
log 2 + max{2g m - d m + k m - 2, 2d m - n m + j m }. 
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Now for large enough m, the following two inequalities hold: 
2g m -d m + k m -2 < [2-5 + — —A ) g m = ( 1 + -(1 + J) + ^ ~ \ A ) </, 



m ; 



i + K y v 3 3(i + k) 

2rf m - n m + j m < ( 25 - — — (A - e) + ( J + e] 

\ I + K 

Finally, for large enough m, using elementary calculus and noticing t m < rn m 

we get 

Putting all these observations together we obtain that the left part of Equa- 
tion HJ] is at most 

H 2 (t) a ( r A \ 

-Ag m + — — A - 1 + e g m + 



(l + «)logg \1 + k 

l„ gl 2 + (l + i(l + 7) + ^i y ^ + 2 £ ) 9m . 

Now using r + H x lgq < \ (l — 3k — ( - l+J ^ + ^ _ 3 e j one can see that this ex- 
pression is at most log 9 2 — 3 ^ K + ^ Ag m and this is clearly smaller than for large 
enough m. Therefore, we can apply Corollary 14.121 to F m , for each m > Mq 
(for some constant M ), and we have an (n m , t m ,2 ,n m — t m )-arithmetic se- 
cret sharing scheme for F^ m over ¥ q with uniformity, with k m = \_nn m \ + 1 
and t m = [rn m \. Since N(F m ) tends to oo as m tends to oo (because 
A(F) > A > 0) then the set M. = {n m } m > Mo is infinite. This concludes 
the proof. □ 

Finally, using our paradigm we also improve the explicit lower bounds for the 
parameter r(q) from [18] and [13] for all q with q < 81 and q square, as well as 
for all q with q < 9. Recall r(q) is defined as the maximum value of 3t/(n— 1) 
which can be obtained asymptotically (when n tends to infinity) when t, n 
are subject to the condition that an (n, t, 2, n — t)-arithmetic secret sharing for 
¥ q over ¥ q exists (no uniformity required here). The new bounds are shown 
in the upper row of Table 1. All the new bounds marked with a star (*) are 
obtained by applying Theorem 14.151 in the and using the upper 

bounds given in Theorem 12.31 for the torsion limits. To obtain the rest of the 
new upper bounds, for each q, we apply the field descent technique in [13] to 
F ? 2(in the special case of Fg, even though Theorem 14 . 1 5 1 can be applied directly, 
as remarked in Main Theorem 14.141 it is better to apply Theorem 14.151 to F§i 
and then use the descent technique). These are compared with the previous 
bounds: the ones obtained in [T5] (marked also with the symbol (*)), and the 
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rest, which were obtained in [13] by means of the aforementioned field descent 
technique. 



Q 


2 


3 


4 


5 


7 


8 


9 


New bounds 
Previous bounds 


0.034 
0.028 


0.057 
0.056 


0.104 
0.086 


0.107 
0.093 


0.149 
0.111 


0.173(*) 
0.143 


0.173 
0.167 


Q 


16 


25 


49 


64 


81 


New bounds 
Previous bounds 


0.298(*) 
0.244 


0.323(*) 
0.278 


0.448(*) 
0.333(*) 


0.520(*) 
0.429(*) 


0.520(*) 
0.500(*) 



TABLE 1. Lower bounds for r(g) 



5. Application 2: Complexity of Extension Field Multiplication 

Since 1980's, many interesting applications of algebraic curves (or algebraic 
function fields of one variable) over finite fields have been found. One of these 
applications which was due to D.V. Chudnovsky and G.V. Chudnovsky [Tj5] 
is the study of multiplication complexity in extension fields through algebraic 
curves. Following the brilliant work by D.V. Chudnovsky and G.V. Chud- 
novsky, Shparlinski, Tsfasman and Vladu^ [51] systematically studied this idea 
and extended the result in [19] . After the above pioneer research, Ballet et al. 
[SI [lj |2l H] further investigated and developed the idea and obtained improve- 
ments. 

Before we formulate the problem, we need to adapt some of the definitions 
in the previous section. 

Definition 5.1. The F q - vector space morphism 

7T : ¥ qk x F™ -» ¥ qk 

is defined by the projection 

0,ci, • • • , Cfij i y s. 
For each i £ {1, . . . , n}, the F q - vector space morphism 

7Ti : ¥ qk x F™ — > F 9 

is defined by the projection 

(s, c%, . . . , c n ) y C{. 
For 0^j4c {l,...,n}, the F q - vector space morphism 

ti a : ¥ qk XFJ4 ¥[ A \ 

is defined by the projection 

(s, C\, . . . , C n ) I y (Cj)ieA- 
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For v G ¥ q k x F™, it is sometimes convenient to denote 7To(v) G ¥ q k by vo and 
tta(v) G Fi A| by v A . We write X* = {1, . . . , n}. 

Definition 5.2. An n-code for ¥ q k (over F g ) is an F 9 -vector space C C ¥ q k xF" 
such that 

(i) 7T (C) = F gfc 

(ii) (Ker n x »)nC C (Ker tt ) n C. 

Definition 5.3. Let ¥ q be a finite field, > an integer. For two vectors 
x = (xq, Xi, . . . , x m ), x' = (xq, x[, . . . , x' m ) G F ? fc x ¥ r q n their product x * x' G 
F gfc x F™ is defined ) where xo^o is the product in the 

extension field F^ and Xix[ is the product in ¥ q for i — 1, . . . , n. 

Let d be a positive integer. If C is a F 9 - vector subspace of ¥ q k x F™, then 
C* d C F g fe x F™ is the F^-linear subspace generated by all terms of the form 
* ... * with . . . , G C. For d = 2, we use the abbreviation 
C := C* 2 . 

Now we can introduce the notion of multiplication-friendly code. 

Definition 5.4. Let n, k G Z. An (n, k) -multiplication-friendly code C over 
¥ q is an n-code for ¥ q k (over ¥ q ) such that 

(i) n,k > 1. 

(ii) C is also an n-code for F„fc. 

Remark 5.5. Since ixq(C) = ¥ q k implies iro(C) = ¥ q k we can replace (ii) by 

(ii')(x, 0) G 1 C for all x G ¥ q k \ {0} 
and we get an equivalent definition. 

Multiplication-friendly codes are also considered in [SI] and are called super- 
codes there. By [5TI Corollary 1.13], an (n, fc)-multiplication-friendly code C 
over ¥ q yields a bilinear multiplication algorithm of multiplicative complexity 
n over ¥ q . Therefore, we are interested in the smallest n for fixed q and k. 

Definition 5.6. fi q (k) = min ng g >0 {n : there exists an (n, ^-multiplication 
-friendly code over ¥ q }. 

To measure how n q (k) behaves when q is fixed and k tends to oo, we define 
two asymptotic quantities 

H q (k) 

j 

k— >OD 

and 



M a = lim sup 

k 



m a = hmmt — - — . 

fceN k 
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D.V. Chudnovsky and G.V. Chudnovsky [19] first employed algebraic curves 
over finite fields to construct bilinear multiplication algorithms implicitly through 
multiplication- friendly codes in 1986 (please refer to [5] for more background). 
This idea was further developed in [51] in order to study the quantities m q 
and M q . The main idea in [51] is to solve a special Riemann-Roch system, 
stated in Theorem 15.71 However, the role of 2-torsion points in divisor class 
group was neglected in [5T] . and it turns out that there is a gap in the proof 
of the main result in J5JJ- Namely, the mistake is in the proof of their Lemma 
3.3, page 161, the paragraph following formulas about the degrees of the di- 
visors. It reads: " Thus the number of linear equivalence classes of degree a for 
which either Condition a or Condition (3 fails is at most Dy + Df," This is 
incorrect. Db should be multiplied by the torsion. Hence the proof of their 
asymptotic bound is incorrect, as there is an implicit but (so far) unjustified 
assumption on J2 = being possible, or rather even the stronger assumption 
that 3\2\ = {0} is possible at all levels in an asymptotically good (optimal) 
family. Therefore, their claim that m q < 2(1 + A , .J is unjustified. Moreover, 
some other results [U [2] use the same approach and have the same gap (the 
asymptotical results in their precursor [3] are based on the conjecture that a 
tower exists attaining certain properties). In [1] the mistake is at the very 
beginning of page 1801 (the sentence starts on the previous page): "Hence, the 
number of linear equivalence classes of divisors of degree n + g — 1 for which 
either the condition (5) or the condition (6) fails is at most 2D g ^\ where D g _i 
denotes..." . Hence the proof of the asymptotic bound is incorrect. 
We will now give an upper bound for m q which involves the 2-torsion limit 
introduced in this paper. We first need to state the problem in a way that we 
can use the results in Section |3] 

Theorem 5.7. Let F/¥ q be an algebraic function field and N, k > 1 be in- 
tegers. Suppose there exist Px,...,Pjv G F^(F) with Pi 7^ Pj (i ^ j) and 
Q G PW(F). Let D = P + Q G Div(F) and D~ = £ii P E Div(F). 
Let K G Div(F) be a canonical divisor. 
If the Riemann-Roch system 

f i(-X + K + Q) = 
\ £(2X-D-) = 

has some solution, then there exists a solution G G Div(F) such that 
supp G fl supp D — ; and C = Cl(D, G) is an (N, k) -multiplication friendly 
code over ¥ q . 

Furthermore, write r = £(2G) — £(2G — D~). Then there exist r indices 
ii,...,i r G {1, . . . , N} , such that C = Cl{D,G) is a (r, k) -multiplication- 
friendly code, where D = Y^=i Py + -^o G Div(F). Therefore [i q (k) < r < 
£{2G). ^' 
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Proof. If there exists a solution, any divisor in its class of equivalence is also a 
solution. By the Weak Approximation Theorem, we can take an element G of 
this class in such a way that supp G R supp D = 0. 

Suppose G is a solution. We prove C = Cl(D, G) is a multiplication-friendly 
code. We need to verify 7r (C) = ¥ q k and (x, 0) ^ C for all ^ x G F ? fe. 

Since degPo — it follows by the Riemann-Roch Theorem and £{K — G + 
Q) = that £(G) = £(G — Q) + k. This is enough to ensure that 7i (C) = ¥ q k, 
as follows: Consider the map 

p : C{G) ->■ F gfc , 

/-►/«?)■ 

Its kernel is C{G — Q). So its image is isomorphic to C(G)/C(G — Q), and this 
has dimension (over F 9 ) £(G) — £{G — Q) = k. So vr (C) = F g fe. 

Second, as C C Cl(D,2G), it suffices to prove that (x, 0) ^ Cl(D,2G) for 
any ^ i € F g fc. Or equivalently, that any / G C{2G) with /(Pi) = for 
i = 1, . . . , N satisfies f(Q) = 0. But this is trivially true as in these conditions, 
/ G C{2G — D~) = {0}. We have proved C is a multiplication-friendly code. 

Finally, consider the F 9 -linear code Cl(D~ ,2G). It has dimension r by 
definition. Let ii, . . . , i r G {1, . . . , iV} be such that the code Cl(D~, 2G) of 
length r equals ¥ r q , where D~ = Y^i=\Piy Note that C = Cl(D,G) satisfies 

7To(C) = F ? fc trivially, since ttq{C) = ¥ g k as it is obtained from C by puncturing 
("erasing coordinates") outside the 0-th coordinate. 

By construction, r = £(2G) — £(2G — D~). Since, by definition, it also holds 
that r = £{2G) - £(2G - D ), it follows that C(2G - D~) = C(2G - D~). So 
if / G C(2G - D~), then / G C(2G - D~). This implies f(Q) = 0, as shown 
before. □ 

Combining Theorem 15.71 with Theorem 13.21 we get 

Theorem 5.8. Let F/¥ q be an algebraic function field and N, k > 1 be inte- 
gers. Suppose |PW(_F)| > N and F^ k \F) is not empty. If there is a positive 
integer d such that 

h > A 2g - 2 -d+k + A 2d - N \J[2\\ 

then fiq(k) < max{£{2G) : G G Div(F), degG = d}. In particular, if in 
addition d > g — 1, then fi q (k) < 2d — g + 1. 

Note that the last part is a consequence of the fact that if deg G = d > g — 1 , 
then deg 2G = 2d > 2g - 2 and by Riemann-Roch, £(2G) = 2d - g + 1 
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Theorem 5.9. Let ¥ q be a finite field. If there exists a real number a < A(q) 
with a > 1 + J 2 (q, a) then 

m q <2(l + 1 - ). 

a - J 2 (q, a) - I 

In particular, if A(q) > 1 + J 2 (q, A(q)) , then 

m < £ 2{1 + A(,) - Ah. AW) -l ^ 
Proof. Let F = {F s /W q }^ =1 be an infinite family of function fields with limit 
A(F) = A > a and such that J 2 (F) = ^2(9, a), which exists by definition. Let 
k > be a real number. The precise value of k will be determined later. And 
define, for every s, g s = g{F s ), n s = Ni(F s ), k s = [ng s \ and j s = \og q \Jf s [ 2 ]\- 
Note lim^oo n s /g s = A and \immij s /g s = J 2 (q, a). 

We will apply [5T81 to all large enough function fields F s . It is enough to verify 
that there exists a place Q of degree k s in F s and that 

(5.1) h(F s ) > A 2gs . 2 _ ds+ks + \J[2}\A 2ds _ na 
holds for some d s . 

First note that J52J Corollary 5.2.10(c)] states that for any function field F 
and any positive integer k with g( fe_1 )/ 2 (g 1 / 2 — 1) > 2g(F) + 1, there is at least 
one place of degree k. In our setting, since lim spooks/ g s = k > 0, a place of 
degree k s exists in F s for large enough s. 

Fix some e > 0. Suppose that for some value of s, we have 

(5.2) k s < n '-9s-3s _ egs _ L 

Then it is easy to see that we can choose an integer d s with 

(5.3) d s > k s + g s + ~g s 
and 

(5.4) 2d s <n s + g s - j s - eg s . 

Then for this selection of d s we can apply Proposition 13.41 to get 

/r r\ A 2 g s _ 2 _d s +k s < g_S 

^ ' h ~ q9s~{2 9s -2-d s +k a )-i^^ q -_ iy 



and 



(5.6) \J[2]\ A2ds ~ ns < <J 



h - q g s -(2d s -n s )-i(^q_ iy 
Now if s is large enough, equations 15.31 and 15.51 imply that 

A 2gs - 2 -d 3 +k s <h/3 
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and equations 15.41 and 15.61 imply that 

\J[2]\A 2da _ ns < h/3, 

so equation 15.11 holds, and we can apply Theorem 15.81 and (since in addition 
d s > Qs — 1 by equation 15.31) . this gives n q {k s ) < 2d s — g s + 1. In particular, 
since we can take e arbitrarily small, we can choose d s = k s + g s + 1, and this 
yields the bound ^ q (k s ) < 2k s + g s + 3. 

So all is left is to determine when we can fulfill condition 15.21 It is not 
difficult to see that if k < A ~ 1 ~/ 2 ^ ; then for an infinite number of values of 
s, and for small enough (but constant) e, the condition holds. 

Therefore, for those values of s, we have 

fi q (k s ) < 2k a + g 3 + 3 < (2 + i)fc 8 + o(l) 
kg kg kg 

for any k < j4 ~ 1 ~^ 2 ^ 
Hence 

k 

which finishes the proof. 



m q = liminf q ) ' < 2 + — < 2(1 H — 

fc^oo k A — 1 — J^yQ, cl) cl — Jziq, 



□ 



Remark 5.10. Recently in [47J, H. Randriambololona proved that the original 
result claimed in [51], i.e. m q < 2(1 + A , q \_ 1 ), can indeed be attained in the 

case A(q) > 5. H 

From Theorem 12.61 we can apply Theorem 15.91 to all fields ¥ q with q > 8, 
except perhaps q — 11 and 13. These include several fields for which the 
result in Remark 15.101 cannot be applied directly. However, we must also take 
into account the following descent lemma which, combined with any of these 
results, allows to obtain upper bounds for m q for all fields ¥ q . 

Lemma 5.11. [511 Corollary 1.3] For every finite field ¥ q and every positive 
integer k, we have 

m q < — m g k. 

k 

In order to obtain explicit results, we need some values of fi q (k) for small 
values of k. We can use the following lemma, which for example can be found 
in [T5l Example III. 5]. 

Lemma 5.12. [T5| Example III. 5] Let q be a prime power and k be an integer 
with 2 < k < q/2 + 1. Then [i q (k) = 2k — 1. In particular /i g (2) = 3 for every 
q and yU g (3) = 5 for every q > 4. 



3 Note that in [17] , our notion m q is denoted by 
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Corollary 5.13. For every prime power q, we have m q < \m q 2 and if q > A, 
then m q < |m g 3. 

These observations allow us to compare the bounds which result from The- 
orem 15.91 with those implied by the result in Remark 15.101 We find then that 
our Theorem 15.91 gives the best bound in the cases q = 16, 25, 32 while for 
the rest of cases, applying Remark 15.101 in a suitable extension and then using 
the descent results above is preferrable, given the current knowledge about 
A(q) and the bounds for the torsion limit given in Theorem 12.31 We give some 
examples in Table 2. For q = 8, 9, 27, the results are found by applying 
Theorem 15.91 and Remark 15.101 to ¥ q 2 (followed by Corollary 15. 13j) . Note in 
particular that it would be possible to apply Theorem 15.91 directly in these 
cases, yet it would give a worse bound. For q = 4, 5, we apply Theorem 15.91 
and Remark [5. 101 to ¥ q 3. For q = 2, 3 we use the bounds for m q 2 that we have 
just computed. Finally, for q = 16, 25, 32 we apply Theorem 15.91 directly on 
F q , while we apply Remark [5.101 on F q 2. For the case q = 16, the fact that we 
can prove an improved torsion bound (we are in the case (iii) of Theorem 12. 3j) 
using the theorem of Deuring-Shafarevich is significant, as otherwise we would 
only be able to prove the bound < 3.334 this way. 



Q 


2 


3 


4 


5 


8 


Thm. |5.9| 


5.836 


5.174 


3.891 


3.932 


3.501 


Rem.lLlOj 


5.834 


5.143 


3.889 


3.903 


3.5 


1 


9 


16 


25 


27 


32 


Thm. |5.9| 


3.449 


3.026 


2.779 


3.121 


2.667 


Rem.lLlOj 


3.429 


3.215 


3.131 


3.12 


3.1 


Table 2. 


Upper 


Dounds 


or m q 



In the rest of this section, we improve the state of the art [15] regarding 
lower bounds on the limit M q , for small values of q such as q = 2, 3, 4, 5. The 
following result can be found in [15]. 

Proposition 5.14. LetF/F q be a function field with r distinct places P\, P r 
Let Q be a place of degree k. If there exists a divisor G such that the following 
two conditions are satisfied 

(i) i(G)-£(G-Q)=deg(Q); 

(ii) £(2G - £I =1 P t ) = 

then 

r 
i=l 

where Sj = deg(Pj) for all 1 < % < r . 
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The two conditions of Proposition 15.141 can be replaced by solvability of 
certain Riemann-Roch system as shown below. 

Corollary 5.15. Let F/¥ q be a function field with r distinct places Pi, . . . ,P r . 
Let Q be a place of degree k. If the Riemann-Roch system 

j £(K-X + Q) = 
\ l(2X - £[ =1 P t ) = 

has solutions for a canonical divisor K, then 

r 
i=l 

where Sj = deg(Pj) for all 1 < i < r . 

Proof. Suppose that G is a solution. Then we have C(K — G + Q) =0, and 
hence C(K — G) = 0. Thus, we have 

1(G) - £(G -Q) = deg(Q) + £{K - G) - £(K - G + Q) = deg(Q). 

The desired result follows from Proposition 15.141 □ 

Now combining Corollary 15.151 with Theorem 13. 2\ we obtain a numerical 
condition. 

Theorem 5.16. Let F/¥ q be a function field with r distinct places Pi, . . . ,P r . 
Let Q be a place of degree k. Denote by A r the number of effective divisors of 
degree r in Div(F). If there is a positive integer d such that the divisor class 
number h is greater than A 2g -2-d+k + | J7"[2] |^42d-y; r _ 1 &a then 

r 
i=l 

where Si = deg(Pj) for all 1 < % < r . 

To derive a lower bound on M q , we need a family of Shimura curves with 
genus in this family growing slowly (see [T5l Lemma IV.4]). 

Lemma 5.17. For any prime power q and integer t > 1, there exists a family 
{X S }^ 1 of Shimura curves over ¥ q such that 

(i) The genus g(F s ) — >■ oo as s tends to oo, where F s stands for the function 
field ¥ q (X s ). 

(ii) lim s ^ OQ g(F s )/g(F s ^i) = 1. 

(hi) \im s ^ 00 B 2t (F s )/g(F s ) = (q l - l)/(2t), where B 2t (F s ) stands for the 
number of places of degree 2t in F s . 

Now we are ready to derive the following result. 
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Theorem 5.18. For a prime power q, one has 
M„ < 



%*-2-log,2) 

' ~ ^ ^ 2t ) t( q ^i~2\ ogq 2) otherwise 

for any t > 1 as long as q l — 2 — log, 2 > for even q; and q t — 2 — 2 log q 2 > 
for odd q. 

Proof. We prove the theorem only for the case where q is a power of 2. For 
the odd characteristic case, the only difference is the size of J[2]. 

Let {F s /¥ q }'^ =1 be a family of function fields with the three properties in 
Lemma [5.171 For every k > 2, let s(k) be the smallest positive integer such 
that 
(5.7) 



B 2t {F s(k) ) >r :- 



+ log, 2) + k + | log, (yj^fp) + l) /* 



^2 



-1. 



where # g ( fe) is the genus g{F s{k )) of F s(fe) . 

Thus, we can find r places of degree 2t in F s r k )- By the definition of r in 
Equation (15. 7p . we have 
(5.8) 

. , . , / 3gp a(fc ) \ 1 1 / 3gc/ s(fc) 

W + fc+log, ^Ty^TpJ < 2^)(l-log s 2)+rt--log 9 \^-LL 

Therefore, we can find an integer d between g s ^ + k + log, ( ) and 
\g s {k){l - log, 2) + rt - § log, ( ^fr§r ) , i.e., we have 
(59) <I 

V ' 7 g£/ s (fc)-(29 s ( fc )-o!+fc)-l(^/^ _ -Q2 — 3 

and 

(510) 9sik)29Hk) - 1 

1 ^ g9sW -(2d-2rt)-l^_ 1 ) 2 - 3 

Using the fact that |j7"[2]| < g 9s < fc ) and combining Equations ( 15.91) . (15. 10p and 
Proposition 13.41 we get 

2h 

h >Y~ A ^ {k) -d+k + \J[2)\A 2d „ 2rt , 

where h is the zero divisor class number of F s ^) • By Theorem 15.161 we have 

H q (k) < r(J, q (2t). 

On the other hand, by choice of s(k), we know that 
(5.11) 



+ log, 2) + k + 2 log, (tJ^) + l) A 



1- 
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By the property (iii) in Lemma 15.171 the inequality (15.1 ip gives 



(5.12) k>(q*- l)<? s(fc) -i/2 - 2<? s (*)-i(l + log g 2) + o(g s{kyi ) 

Finally by Theorem 15.161 we have 
/i q (k) < r^ q {2t) 



k 



k 



y s[k) (i + \o gq 2) + k + i \o gq + 1) a 



+ log, 2)(/ 8 ( fc ) + o{g s{k) ) 



+ 



2kt ' t 

(1 + log,2)p s(fc) + o(g s(k) ) 



- !)^(fc)-i 
g* - 1 



t(g t -2-log,2) 
This finishes the proof. 



1 

-^(fc)-i(l + log g 2) + o(p fl(fc )_i)) 7 
as — t- oo. 



□ 



Note that in [To], a trivial solution of the Riemann-Roch system in Corollary 
15. 151 was used due to the fact that torsion-limit was not considered, and hence 
a weaker bound on M q was derived in [T5] . 

With help of the torsion-limit technique and Riemann-Roch system, we can 
bring down the upper bound derived in Theorem [To! Theorem IV. 5] and hence 
we get further improvements on M q for small values of q. Here we only provide 
upper bounds for a few small q to demonstrate our improvements. 

Corollary 5.19. One has the upper bounds on M q for q = 2,3,4, 5 as shown 
in the following table 



q 


2 


3 


4 


5 


M q 


7.23 


5.45 


4.98 


4.74 



Proof. (i) For q = 2, the desired result follows from Theorem 15.181 by 
taking t = 6 and applying /i2(12) < 42. 

(ii) For q = 3, the desired result follows from Theorem 15 . 1 81 by taking t — 5 
and applying /^(lO) < 27. 

(iii) For q = 4, the desired result follows from Theorem 15 . 1 81 by taking t = 3 
and applying ^4(6) < 14. 

(iv) For q — 5, the desired result follows from Theorem 1 5 . 1 8 1 by taking t — 2 
and applying /i 5 (4) = 8. 

□ 
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6. Application 3: Asymptotic Bounds for Frameproof Codes 

6.1. Definitions and basic results. Let S be a finite set of g elements (we 
denote by ¥ q the finite field with g elements if q is a prime power) and let n 
be a positive integer. Define the i-th projection: 

7Tj : S n -» S, (d, . . . ,a n ) h-> a,. 

Definition 6.1. For a subset A C S ,Tl , we define the descendants of A, desc(A), 
to be the set of all words x such that for each 1 < i < n, there exists a G A 
satisfying 7T»(x — a) = 0. 

Definition 6.2. Let s > 2 be an integer. A g-an/ s-frameproof code of length 
n is a subset C C S 1 ™ such that for all A C C with |A| < s, the intersection 
desc(v4) PI C is the same as A. 

From the definition of frameproof codes, it is clear that a g-ary s-frameproof 
code C is a g-ary si-frameproof code for any 2 < s\ < s. 

Following the notation from [S3], we denote a g-ary s-frameproof code in S n 
of size M by s-FPC(n, M). As usual, we denote a g-ary error-correcting code 
of length n, size M and minimum distance d by (n, M, d)-code, or [n, log ? M, d]- 
linear code if the code is linear. 

We want to look at the asymptotic behavior of s-frameproof codes in the 
sense that q and s are fixed and the length n tends to infinity. 

Definition 6.3. For fixed integers q > 2, s > 2 and n > 2, let M q (n, s) denote 
the maximal size of g-ary s-frameproof codes of length n, i.e, 

M q (n, s) := max{M : there exists a g-ary s-FPC(n, M)}. 

For fixed g and s, define the asymptotic quantity 

r> / \ r \og q M q (n,s) 
H q {s) = hmsup . 

It seems that the exact values of R q {s) are not easy to be determined for 
any given q and s. Instead, we will get some lower bounds on R q (s). Before 
looking at lower bounds, we first derive an upper bound on R q (s) from [10J. 

Theorem 6.4. 

R q (s) < -. 
s 

Proof. By Theorem 1 of [TU], we have 

M q (n, s) < max{g r = ] , r (g^ 1 - l) + (s - r) (g L « J - l) }, 

where r £ {0, 1, . . . , s — 1} and r is the remainder of n divided by s. Thus, we 
have 

M q (n,s) < sg^ 1 . 

The desired result follows. □ 
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From now on we will concentrate on lower bounds on R q (s). Let us first 
recall the constructions from 



Proposition 6.5. Let q be a prime power. Then a q-ary [n,k,d]-linear code 
C is a q-ary s-FPC(n, q k ) with s = [(n — l)/(n — d)\ . 

Remark 6.6. This construction shows that the crucial parameter s is deter- 
mined only by the minimum distance of C if the length is given. 

From the above relationship between linear codes and frameproof codes, 
we immediately obtain a lower bound on R q (s) from the Gilbert- Varshamov 
bound. 

Theorem 6.7. Let q be a prime power and 2 < s < q an integer. Then 

1" 



R q (s) >1-H q [l- 



where 

H g (5) = 5\og q (q - 1) - 5 log, 8 - (1 - 5) \og q {l - 5) 
is the q-ary entropy function. 

Proof. The desired result follows directly from the Gilbert- Varshamov bound 
and Proposition 16.51 □ 

Remark 6.8. The bound in Theorem 16.71 is only an existence result as the 
Gilbert- Varshamov bound is not constructive. 

6.2. Lower Bounds from AG Codes. In this section, we introduce two 
lower bounds on R q (s) from algebraic geometry codes. One bound can be 
obtained by directly applying Proposition 16.51 and the Tsfasman-Vladu^-Zink 
bound [55] . However, the second bound employs our torsion limits. 

Theorem 6.9. For a prime power q and an integer s > 2, we have 

R q (s) >--—. 

s A(q) 

Proof. Let 5 = 1 — 1/s. Combining Proposition 16.51 with the TVZ bound, we 
obtain the desired result. □ 

Remark 6.10. (i) The bound in Theorem 16.91 is constructive as long as 
sequences of curves attaining A(q) are explicit, 
(ii) It is easy to check that for every s > 2, the bound in Theorem 16.91 is 
better than the one in Theorem 16.71 for sufficiently large square q. For 
instance, for s = 2, and a square q > 49, the bound in Theorem 16.91 is 
always better than the one in Theorem 16.71 
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(iii) Comparing with the upper bound in Theorem I6.4[ we find that 

1 1 1 

l- W) - R ' {s) - 

Since 1/A(q) — > as q —> oo (see [44J ) , R g (s) is getting closer to 1/s 
as q — > oo. The result R q (s) ~ 1/s is also implicitly stated in [20] by 
combining Propositions 2 and 3 there. 

The bound in Theorem 16.91 has been further improved in (601 SSI SS] . 

Theorem 6.11. (i) [BU] For every 2 < s < A(q), one has 



?( ^>I^^ l-21og 9 s 
q[S) ~ s A{q) + sA(q) ' 



(ii) [IS] Let s be the characteristic of¥ q , then one has 

(iii) [46J For A(g) > 5 ; one /ias 

^(2) > \ 



2 2A(g) 

For the rest of this section, we derive a lower bound on R q {s) by making 
use of the idea from [60] and our torsion limit. In particular, the bounds (i) 
and (ii) of Theorem 16.111 can be deduced from our lower bound in Theorem 
16.161 Furthermore, we improve the above bounds in the following two cases: 
(i) when q is a square and s is the characteristic of ¥ q , the bound in Theorem 
I6.11( ii) can be improved significantly (see Corollary 16 . 1 7( i) ) ; (ii) when s does 
not divide q — 1, the bound in Theorem I6.11( i) can be improved (see Corollary 
EEIItii)). 

Let Pi, P2, . . . , P n be n distinct rational points of a function field F over the 
finite field ¥ q . Choose a positive divisor G such that C{G — Yl7=i^i) = i®}- 
Let vp^G) = v i > and be a local parameter at Pi for each i. 

Consider the map 

: C(G) — ► ¥ n q , f ^ ((f?/)(P a ), (tff)(P 2 ), • • • , (Cf)(P n )). 

Then the image of <fi forms a subspace of F™ that is defined as an algebraic 
geometry code. The image of is denoted by C, or simply C(^™ =1 Pi, G)l- 
The map is an embedding since C{G — J2i=i P%) = {0} and the dimension 
of £ is equal to £(G). 

Remark 6.12. Notice that the above construction is a modified version of 
algebraic geometry codes defined by Goppa. The advantage of the above 
construction is to make it possible to get rid of the condition Supp(G) fl 
{Pi, P2, . . . , P n } = 0. This is crucial for our construction of frameproof codes 
in this section. 
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When the condition Supp(G) fl {Pi, P2, . . . , P n } = is satisfied, i.e., v j = 
for all i — 1, • • • , n, then the above construction of algebraic geometry codes 
is consistent with Goppa's construction. 

Theorem 6.13. Let F/W q be an algebraic function field of genus g and let 
Pi, P2, . . . , P n be n distinct rational points of F. Let G be a positive divisor 
such that deg(G) < n. Let s > 2 satisfy C(sG — Y^i=i-Pi) = i®}- Then 
C(ELi p nG) L is ans-FPC{n,q^). 

Proof. Denote by C/ the codeword 

4(f) = ((tTf)(Pi), • • • , (Cf)(P n )) for all / G L(G). 

Let A = {cjj, . . . , Cf r } be a subset of C := C with \A\ = r < s. Let c g G (A) DC 
for some g G L(G). Then by the definition of descendant, for each 1 < i < n 
we have 

r 

Yl^iCf.-Cg) = 0, 

3=1 

where 7Tj(c/. — c 5 ) stands for zth coordinate of C/. — c fl . This implies that 

r 

n^7,-^)(^)=o, 

3=1 

i.e., 

r 

This is equivalent to 

r 

9)) >-rOi + l. 

3=1 

Hence, 

r n n 

IKfr -g)e L(rG - £ Pi) C L( S G - J] P.) = {0}. 

Thus, the function n^=i(/i ~~ flO i s ^ ne zero function. So, /j — g = for some 
1 < / < r. Hence c g = Cf t G A. □ 

From Theorem 16.131 we know that it is crucial to find a divisor G such that 
L(sG — Y^i=i Pi) = {0}- Again we can apply our Theorem 13.21 to show 

Lemma 6.14. Let F/¥ q be an algebraic function field of genus g with at least 
one rational point P . Let s,m,n be three integers satisfying s > 2 and g < 
m < n < sm and H a fixed positive divisor of degree n. Then there exists 
a positive divisor G of degree m such that L(sG — H) = {0} provided that 
A sm _ n \J[s}\ < h. 
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Lemma 6.15. Let F/¥ q be an algebraic function field of genus g with at least 
one rational point. Let s, m, n be three integers satisfying s > 2 and g < m < 
n < sm and sm — n < g — \og q \J[s\ \ — log 9 r^ip ■ Let D be a fixed positive 
divisor of degree n. Then there exists a positive divisor G of degree m such 
that L(sG — D) = {0}. 

Proof. By Proposition 13.41 we have (note 1 < sm — n < g — 1) 

A S m—n ^ g 



h - q g-( sm - n )-l(^q_ iy 

The condition in Lemma [6.141 is satisfied and the desired result follows. □ 

Theorem 6.16. Suppose that q is a prime power and s is an integer such that 
A(q) > s > 2 and J s (q,A(q)) < 1. Then we have 

RM> L1 l-J s (q,A(q)) 
g[ } ~ s A{q) + sA{q) 

Proof. Choose a family of function fields F/¥ q with growing genus such that 
lim s(FHoo N(F)/g(F) = A{q) and lim s(i r Hoo log g \J[s\\/g{F) = J a (q,A(q)). 
Put n = N(F), g = g(F). Let D = Ep^(f) R 
Now for any fixed < e < 1 — J s (q, A(q)), put 

n + (l- J s (q,A(q)) -e)g 
m = [ J. 



Then we obtain 



Um m = A(q) + l-J 8 (q,A(q))-e > A(g) > ^ 

g^-oo g s S ~ 

and 

lim m = A(q) + l-J s (q,A(q))-e < A(q) + 1 < 2A(q) < x 
n^oo n sA(q) sA(q) sA(q) ~ 

and 



and 



lim ^ = 1+ l-J,(gA( g ))- £ >l; 
n^oo n A{q) 



sm-n- (1- J s (q,A(q)))g 
lim = —e < 0. 



Therefore, for all sufficiently large g we have g < m < n < sm by (2), (3) and 
(4). It follows from (5) that for all sufficiently large g we have 

qg 

sm-n<g- \og q \J[s\\ - \og q _ 
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By Lemma [6.15[ there exists a divisor G of degree m of F such that L(sG — 
D) = {0} for each sufficiently large g. Thus, by Theorem 16.131 the code 
C(D,G) L is an s-FPC(n } q l{G) ). Hence, 

log n^ G ^ 

R q (s) > lim-^ 



> lim 



m — g + 1 



g-s>oo n 

1 1 { l-J s (q,A(q)) e 
s A(q) sA(q) sA(q)' 

Since the above inequality holds for any < e < 1 — J s (q, A(q)), we get 

qy ' s A(q) sA(q) 
by letting e tend to 0. This completes the proof. □ 

Corollary 6.17. Suppose that q is a prime power and s is an integer such 
that A(q) > s > 2. Then we have 

1 1 1-2 log„ s 

Moreover, we obtain an improvement to the bounds in Theorem \6.11\ for the 
following two cases. 

(i) If q is a square and s is the characteristic of¥ q with yfq — 1 > s > 2, 
then 



(6.2) R q {s) > 



1 1 (l-(log gS )/(yg + l)) 



s y/q-l a(y/q-l) 
(ii) If s does not divide q — 1, then 

1 1 1 — log„ s 
v 7 9W s A(g) sA(g) 

Proof. The bounds (16. ip . (16. 2 p and (16. 3 p follow from Theorems 16. 161 and The- 
orem E3](i), [2]3]^iii) and I2.3( ii). respectively. □ 
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